Russian Hackers Took Advantage of Windows Flaw, Microsoft Says

A security issue in Windows recently made public by Google has been exploited by Strontium, a hacking group linked to Russia, Microsoft has announced.

Microsoft said it was “disappointed” by Google’s decision to go public with the flaw because a patch is not due to be released until Nov. 8. Now that hackers are aware of the issue, it puts Windows users in their crosshairs, Windows and devices group executive vice-president Terry Myerson said.

“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Myerson said in a blog post.

Microsoft Threat Intelligence discovered Strontium is carrying out a low-volume spear-phishing campaign. The campaign, which was originally identified by Google’s Threat Analysis Group, uses two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel to breach Windows users’ computers.

“Customers using Microsoft Edge on Windows 10 Anniversary Update are known to be protected from versions of this attack observed in the wild,” Myerson said, adding that users running Windows Defender Advanced Threat Protection (ATP) are made aware of any attempted Strontium attack.

Strontium, which is also known as Fancy Bear, and APT 28, is responsible for a number of spear phishing attacks in 2016. In fact, Microsoft has attributed more zero-day exploits to Strontium than any other tracked group this year.

Active since at least 2007, Strontium’s favorite targets include government agencies, diplomatic institutions, and the military as well as defense contractors and public policy research institutes. The hacking group’s usual modus operandi is using the compromised e-mail account of a victim to send malicious e-mails to another.

Strontium will “persistently pursue specific targets for months until they are successful in compromising the victims’ computer,” Microsoft said in a report. “Once inside, Strontium moves laterally throughout the victim network, entrenches itself as deeply as possible to guarantee persistent access, and steals sensitive information.”